The Health Insurance Portability and Accountability Act (HIPAA) requires that you follow best practices for security and access controls. Amazon Web Services (AWS) is the most popular cloud computing service provider, so it is important to understand how to use AWS services in order to setup a proper HIPAA architecture. HIPAA compliance is never something to take lightly, so it’s always best to be a way of best practices when it comes to securing protected health information (PHI). Below we will go through the different areas of your architecture that you will want to take into consideration for HIPAA, along with some HIPAA-enabled AWS services that you can use to meet their needs.
Using SSL certificates is a no-brainer for any website these days, never mind a healthcare website that deals with PHI. To manage SSL certificates within AWS, you can use AWS Certificate Manager. You always want to process, store, and transmit data in encrypted formats. Having valid SSL certificates is HIPAA security and compliance 101; your cloud services should always have them.
Everyone knows that Amazon EC2 is the de facto way to create and manage servers on AWS. However, in today’s DevOps world, you might also be interested in a number of other AWS services for managing your servers, including:
There are a number of different ways to manage servers through AWS these days. If you are not sure which path to go down, we recommend trying Amazon Fargate. Fargate works with both EKS and ECS. At the end of the day, these are all ways to manage Amazon Ec2 instances, but AWS Fargate takes the most off of your shoulders.
For database management on AWS, we commend Amazon Relational Database Service. Keep in mind that, as with most applications, you will want to enable:
Most applications require some form of cloud storage these days. On AWS, you can use Amazon S3 and Amazon S3 Glacier for storing and archiving assets from your application. We recommend restricting Amazon S3 bucket access to your application and only exposing expiring URLs to users or colleagues so that the locations of assets within your Amazon S3 folder are not exposed.
For a complete overview of Amazon S3 HIPAA Compliance.
Within your cloud infrastructure, there’s a good chance that you want virtual private clouds configured with subnets within them. To isolate environments from each other, you might even want separate VPCs for each environment you run. To configure VPCs, you can use Amazon VPC. Within your Amazon VPC you can configure subnets for your environments. Some additional network security services you may want to include:
When it comes to HIPAA compliance, access controls are important. Your HIPAA-compliant applications should only give the necessary levels of access to your employees and business associates. That is true for all of your HIPAA-compliant AWS infrastructures, along with any services that contain sensitive data (especially PHI). AWS Identity and Access Management can help you create policies to control access for the different people that might manage PHI.
To visualize your architecture and application, setup Amazon CloudWatch. You can use it to monitor application performance, perform root analysis, to optimize cloud resources, and for some logging.
You should setup your AWS account to send you notifications of any alerts you receive. Use Amazon Simple Notification Service (SNS) to send yourself an email or an SMS message whenever an alert is received.
Detecting unauthorized access and having access and infrastructure logs are important for HIPAA-compliant applications. AWS CloudTrail can help you put these items in place. CloudTrail is almost designed for things like HIPAA compliance. Auditing and security incident identifications are two of the main purposes of AWS CloudTrail.
We highly recommend not using manual deploys for HIPAA applications. Manual deploys open the gate for human error. To configure CI/CD on AWS, you can use AWS CodePipeline. Depending on your configuration, you may also have to get your hands dirty with AWS CodeCommit and AWS CodeDeploy.
A lot goes into setting up AWS to be HIPAA compliant. The information above is pertinent to covered entities, business associates, and business associate subcontractors. If you need help getting a HIPAA-compliant architecture setup, Flatirons can help. We are a HIPAA-compliant software vendor that can sign a Business Associate Agreement with your organization. We have experience setting up HIPAA-compliant infrastructure on a number of clouds computing services.
Flatirons helps healthcare organizations create compliant and tailored software solutions.Learn more